troxy-cli 1.1.1 → 1.2.1

package/README.md

@@ -0,0 +1,87 @@
+# troxy-cli
+
+The official Troxy CLI — onboard AI agents, manage cards and policies from the terminal.
+
+## Prerequisites
+
+Node.js 18+ is required. Run `node -v` — if you get a version, skip this.
+
+**Amazon Linux / RHEL / CentOS**
+```bash
+curl -fsSL https://rpm.nodesource.com/setup_20.x | sudo bash -
+sudo yum install -y nodejs
+```
+
+**Ubuntu / Debian**
+```bash
+curl -fsSL https://deb.nodesource.com/setup_20.x | sudo bash -
+sudo apt-get install -y nodejs
+```
+
+**macOS**
+```bash
+brew install node
+```
+
+**Any system (nvm)**
+```bash
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
+source ~/.bashrc
+nvm install --lts
+```
+
+Verify: `node --version` and `npx --version` should both return a version.
+
+## Install
+
+```bash
+npm install -g troxy-cli
+```
+
+Or run without installing:
+
+```bash
+npx troxy-cli <command>
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `troxy init` | Connect an agent to Troxy — validates API key, sets agent name, writes config |
+| `troxy login` | Authenticate via magic-link code (enter the code from your email) |
+| `troxy cards` | List card aliases |
+| `troxy policies` | List policies |
+| `troxy activity` | View recent transaction audit log |
+| `troxy status` | Show current config and connection status |
+
+## How it works
+
+1. User runs `troxy init --key txy-...` in their agent project
+2. CLI validates the key against `api.troxy.io`, prompts for agent name
+3. Writes a `.troxy/config.json` to the project directory
+4. Agent uses the config to call `/evaluate` before every payment
+
+## MCP Server
+
+The CLI also ships an MCP server (`src/mcp-server.js`) that exposes Troxy as a tool for Claude and other MCP-compatible agents.
+
+## Auth flow
+
+`troxy login` triggers the same magic-link flow as the dashboard:
+- Sends a code to your email
+- Prompts you to enter the `XXXX-XXXX` code in the terminal
+- Stores the JWT locally for subsequent CLI calls
+
+## Stack
+
+- Node.js 18+ (ESM)
+- Zero runtime dependencies except `@modelcontextprotocol/sdk`
+- Published to npm as `troxy-cli`
+
+## Related repos
+
+| Repo | Description |
+|------|-------------|
+| [troxy-tf-live](https://github.com/troxy-hq/troxy-tf-live) | Backend API the CLI talks to |
+| [troxy-dashboard](https://github.com/troxy-hq/troxy-dashboard) | Web dashboard alternative |

package/bin/troxy.js

@@ -1,14 +1,14 @@
 #!/usr/bin/env node
-import { runInit }      from '../src/init.js';
-import { runUninstall } from '../src/uninstall.js';
-import { runMcp }      from '../src/mcp-server.js';
-import { runLogin, clearSession } from '../src/auth.js';
-import { runCards }    from '../src/cards.js';
-import { runPolicies } from '../src/policies.js';
-import { runActivity } from '../src/activity.js';
-import { api }         from '../src/api.js';
-import { requireJwt }  from '../src/auth.js';
-import { table }       from '../src/print.js';
+import { runInit }                     from '../src/init.js';
+import { runUninstall }                from '../src/uninstall.js';
+import { runMcp }                      from '../src/mcp-server.js';
+import { runLogin, clearSession, requireKey, getKeySource } from '../src/auth.js';
+import { runCards }                    from '../src/cards.js';
+import { runPolicies }                 from '../src/policies.js';
+import { runMcps }                     from '../src/mcps.js';
+import { runActivity }                 from '../src/activity.js';
+import { api }                         from '../src/api.js';
+import { table }                       from '../src/print.js';
 
 const [,, command, sub, ...rest] = process.argv;
 const allArgs = [sub, ...rest].filter(Boolean);
@@ -26,6 +26,26 @@ for (let i = 0; i < allArgs.length; i++) {
   }
 }
 
+try { await _run(); } catch (err) { _handleError(err); }
+
+function _handleError(err) {
+  if (err.code === 'UNAUTHORIZED') {
+    const source = getKeySource();
+    if (source === 'config') {
+      console.error('\n  API key revoked or invalid.');
+      console.error('  Your saved key is no longer accepted by Troxy.');
+      console.error('  Run: npx troxy init --key <new-key>  to reconnect.\n');
+    } else {
+      console.error('\n  API key invalid or revoked.');
+      console.error('  Check the key in your Troxy dashboard → Connections.\n');
+    }
+  } else {
+    console.error(`\n  Error: ${err.message}\n`);
+  }
+  process.exit(1);
+}
+
+async function _run() {
 switch (command) {
   // ── Setup ─────────────────────────────────────────────────────
   case 'init':
@@ -37,6 +57,22 @@ switch (command) {
     break;
 
   // ── Auth ──────────────────────────────────────────────────────
+  case 'connect': {
+    const k = flags.key;
+    if (!k || !k.startsWith('txy-')) {
+      console.error('\n  Usage: troxy connect --key txy-...\n');
+      process.exit(1);
+    }
+    // Validate key before saving
+    process.stdout.write('\n  Validating key... ');
+    await api.agentStatus(k);
+    console.log('✓');
+    const { saveConfig } = await import('../src/config.js');
+    saveConfig({ apiKey: k });
+    console.log('  Key saved to ~/.troxy/config.json\n');
+    break;
+  }
+
   case 'login':
     await runLogin(flags);
     break;
@@ -51,7 +87,7 @@ switch (command) {
     await runMcp();
     break;
 
-  // ── Resources ─────────────────────────────────────────────────
+  // ── Resources (read-only: --key or saved config; write: login) ─
   case 'cards':
     await runCards(positional, flags);
     break;
@@ -60,26 +96,81 @@ switch (command) {
     await runPolicies(positional, flags);
     break;
 
+  case 'mcps':
+    await runMcps(positional, flags);
+    break;
+
   case 'activity':
     await runActivity(flags);
     break;
 
-  // ── Shorthand: troxy list [cards|policies|activity] ───────────
+  case 'insights': {
+    const apiKey = requireKey(flags);
+    const period = Number(flags.period || 30);
+    const data   = await api.agentInsights(apiKey, period);
+    const d      = data;
+    console.log(`
+  Insights — last ${d.period_days} days
+  ──────────────────────────────────
+  Total requests:  ${d.total_requests}
+  Total spent:     $${Number(d.total_spent).toFixed(2)}
+  Total blocked:   $${Number(d.total_blocked).toFixed(2)}
+
+  Decisions
+    ALLOW:     ${d.decisions.ALLOW}
+    BLOCK:     ${d.decisions.BLOCK}
+    ESCALATE:  ${d.decisions.ESCALATE}
+    NOTIFY:    ${d.decisions.NOTIFY}
+`);
+    if (d.top_merchants?.length) {
+      console.log('  Top merchants');
+      table(
+        ['Merchant', 'Requests', 'Total Spend'],
+        d.top_merchants.map(m => [m.merchant, m.requests, `$${Number(m.total).toFixed(2)}`]),
+      );
+    }
+    break;
+  }
+
+  // ── Shorthand: troxy list [resource] ──────────────────────────
   case 'list':
-    if (!sub || sub === 'cards')    { await runCards(['list'], flags); break; }
+    if (!sub || sub === 'cards')    { await runCards(['list'], flags);    break; }
     if (sub === 'policies')         { await runPolicies(['list'], flags); break; }
-    if (sub === 'activity')         { await runActivity(flags); break; }
-    console.error(`  Unknown resource: ${sub}. Try: cards, policies, activity\n`);
+    if (sub === 'mcps')             { await runMcps(['list'], flags);     break; }
+    if (sub === 'activity')         { await runActivity(flags);           break; }
+    console.error(`  Unknown resource: ${sub}. Try: cards, policies, mcps, activity\n`);
     process.exit(1);
 
   // ── Status ────────────────────────────────────────────────────
   case 'status': {
     const health = await api.health();
-    console.log(`\n  API:  ${health.status === 'ok' ? '✓ online' : '✗ ' + health.status}`);
-    console.log(`  DB:   ${health.db}`);
-    console.log(`  Env:  ${health.env}`);
+    process.stdout.write(`\n  API:  ${health.status === 'ok' ? '✓ online' : '✗ ' + health.status}\n`);
+    process.stdout.write(`  DB:   ${health.db}\n`);
+    process.stdout.write(`  Env:  ${health.env}\n`);
 
-    // Check for newer version on npm (best-effort, don't fail if offline)
+    // If we have a key, show enriched status
+    try {
+      const apiKey  = requireKey(flags);
+      const source  = getKeySource();
+      const data    = await api.agentStatus(apiKey);
+      const { token, account } = data;
+      const keyNote = source === 'config'
+        ? '(saved — run `troxy init` to change)'
+        : source === 'env' ? '(from TROXY_API_KEY env)' : '(passed via --key)';
+      console.log(`
+  Key:      ${token.prefix}  ${keyNote}
+  MCP:      ${token.connected ? '● connected' : '○ offline'}  last seen ${token.last_seen}
+  Fallback: ${token.default_action}
+
+  Account
+    Active policies:  ${account.active_policies}
+    MCPs total:       ${account.total_mcps}  (${account.connected_mcps} connected)
+    Requests 24h:     ${account.requests_24h}
+    Default action:   ${account.default_action}
+`);
+    } catch (err) { if (err.code === 'UNAUTHORIZED') throw err; console.log(); }
+
+    // Version check
     try {
       const { createRequire } = await import('module');
       const require = createRequire(import.meta.url);
@@ -87,12 +178,11 @@ switch (command) {
       const res  = await fetch('https://registry.npmjs.org/troxy-cli/latest', { signal: AbortSignal.timeout(3000) });
       const { version: latest } = await res.json();
       if (current !== latest) {
-        console.log(`\n  ⚠  New version available: ${latest} (you have ${current})`);
-        console.log(`     Update with: sudo npm install -g troxy-cli@latest`);
+        console.log(`  ⚠  New version available: ${latest} (you have ${current})`);
+        console.log(`     Update with: sudo npm install -g troxy-cli@latest\n`);
       }
     } catch {}
 
-    console.log();
     break;
   }
 
@@ -102,27 +192,33 @@ switch (command) {
     console.log(`
   Troxy — AI payment control
 
+  First time on a machine?  Run: npx troxy init --key <api-key>
+  This saves your key to ~/.troxy/config.json — no need to pass --key again.
+
   Setup
-    npx troxy init --key <api-key>      Initialize and patch MCP clients
-    npx troxy uninstall                 Remove Troxy from this machine
-    npx troxy login                     Log in to your dashboard account
-    npx troxy logout                    Clear local session
-    npx troxy status                    Check API health
-
-  Cards
-    npx troxy cards list
-    npx troxy cards create --name "Personal" [--budget 500] [--provider stripe]
-    npx troxy cards delete --name "Personal"
-
-  Policies
-    npx troxy policies list
-    npx troxy policies create --name "Block high" --action BLOCK --field amount --operator gte --value 100
-    npx troxy policies enable  --name "Block high"
-    npx troxy policies disable --name "Block high"
-    npx troxy policies delete  --name "Block high"
-
-  Activity
-    npx troxy activity [--limit 50]
+    troxy connect --key <api-key>  Save API key (CLI only — no MCP setup)
+    troxy init --key <api-key>     Full setup: save key + configure MCP
+    troxy uninstall                Remove Troxy from this machine
+    troxy status                   API health + which key is in use
+
+  Inspect  (uses saved key — no flags needed after init)
+    troxy policies list
+    troxy policies describe --name "Block Amazon"
+    troxy mcps list
+    troxy cards list
+    troxy activity [--limit 50] [--mine]
+    troxy insights [--period 7]
+
+  Manage  (requires: npx troxy login)
+    troxy policies create --name "X" --action BLOCK --field amount --operator gte --value 500
+    troxy policies enable  --name "X"
+    troxy policies disable --name "X"
+    troxy policies delete  --name "X"
+    troxy cards create --name "Personal" [--budget 500]
+    troxy cards delete --name "Personal"
+
+  Override key for a single command:  --key txy-...
 `);
     process.exit(command ? 1 : 0);
 }
+} // end _run

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "troxy-cli",
-  "version": "1.1.1",
+  "version": "1.2.1",
   "description": "AI payment control — protect your agent's payments with policies",
   "type": "module",
   "bin": {
@@ -19,6 +19,12 @@
     "bin/",
     "src/"
   ],
-  "keywords": ["mcp", "ai", "payments", "policy", "agents"],
+  "keywords": [
+    "mcp",
+    "ai",
+    "payments",
+    "policy",
+    "agents"
+  ],
   "license": "MIT"
 }

package/src/activity.js

@@ -1,27 +1,34 @@
-import { api }        from './api.js';
-import { requireJwt } from './auth.js';
-import { table }      from './print.js';
+import { api }               from './api.js';
+import { requireKey }        from './auth.js';
+import { table }             from './print.js';
 
-const DECISION_ICON = { ALLOW: '✓', BLOCK: '✗', ESCALATE: '⏳', NOTIFY: '~' };
+const ICON = { ALLOW: '✓', BLOCK: '✗', ESCALATE: '⏳', NOTIFY: '~' };
 
 export async function runActivity(flags) {
-  const jwt   = requireJwt();
-  const limit = Number(flags.limit || 20);
-  const data  = await api.activity(jwt, limit);
-  const rows  = data?.items || [];
+  const apiKey = requireKey(flags);
+  const limit  = Number(flags.limit || 20);
+  const mine   = !!flags.mine;
+
+  const data = await api.agentActivity(apiKey, limit, mine);
+  const rows = data?.activity || [];
 
   if (!rows.length) { console.log('\n  No activity yet.\n'); return; }
 
   console.log();
   table(
-    ['Decision', 'Agent', 'Merchant', 'Amount', 'Policy', 'Time'],
-    rows.map(r => [
-      `${DECISION_ICON[r.decision] || ' '} ${r.decision}`,
-      r.agent_name || 'unknown',
-      r.merchant_name || '—',
-      r.amount ? `$${Number(r.amount).toFixed(2)}` : '—',
-      r.policy_name || '—',
-      new Date(r.created_at).toLocaleString(),
-    ]),
+    ['Decision', 'Merchant', 'Category', 'Amount', 'Policy', 'Card', 'Agent', 'When'],
+    rows.map(r => {
+      const icon = ICON[r.decision?.split('→')[0]] || ' ';
+      return [
+        `${icon} ${r.decision}`,
+        r.merchant,
+        r.category,
+        r.amount ? `$${Number(r.amount).toFixed(2)}` : '—',
+        r.policy,
+        r.card,
+        r.agent,
+        r.when,
+      ];
+    }),
   );
 }

package/src/api.js

@@ -14,7 +14,11 @@ async function request(method, path, { apiKey, jwt, body } = {}) {
   });
 
   const data = await res.json();
-  if (!res.ok) throw new Error(data?.error || `HTTP ${res.status}`);
+  if (!res.ok) {
+    const err = new Error(data?.error || `HTTP ${res.status}`);
+    if (res.status === 401) err.code = 'UNAUTHORIZED';
+    throw err;
+  }
   return data;
 }
 
@@ -50,6 +54,14 @@ export const api = {
 
   // MCP heartbeat (agent API key)
   mcpHeartbeat: (apiKey, agentName) => request('POST', '/mcp/heartbeat', { apiKey, body: agentName ? { agent_name: agentName } : undefined }),
+
+  // Agent read-only API (API key auth — no JWT required)
+  agentStatus:   (apiKey)              => request('GET', '/agent/status',   { apiKey }),
+  agentPolicies: (apiKey)              => request('GET', '/agent/policies',  { apiKey }),
+  agentMcps:     (apiKey)              => request('GET', '/agent/mcps',      { apiKey }),
+  agentCards:    (apiKey)              => request('GET', '/agent/cards',      { apiKey }),
+  agentActivity: (apiKey, limit, mine) => request('GET', `/agent/activity?limit=${limit || 20}${mine ? '&mine=true' : ''}`, { apiKey }),
+  agentInsights: (apiKey, period)      => request('GET', `/agent/insights?period=${period || 30}`, { apiKey }),
 };
 
 // Named export for backwards compat with init.js + mcp-server.js

package/src/auth.js

@@ -33,6 +33,39 @@ export function requireJwt() {
   return session.jwt;
 }
 
+// Tracks how the last key was resolved — read by bin/troxy.js error handler
+let _lastKeySource = null;
+
+export function getKeySource() { return _lastKeySource; }
+
+/**
+ * Resolve API key: --key flag → TROXY_API_KEY env → saved config (~/.troxy/config.json).
+ * Exits with a helpful message if nothing is found.
+ */
+export function requireKey(flags = {}) {
+  if (flags.key) {
+    _lastKeySource = 'flag';
+    return flags.key;
+  }
+  if (process.env.TROXY_API_KEY) {
+    _lastKeySource = 'env';
+    return process.env.TROXY_API_KEY;
+  }
+  const saved = loadConfig()?.apiKey;
+  if (saved) {
+    _lastKeySource = 'config';
+    return saved;
+  }
+  console.error('\n  No API key found.');
+  console.error('  Run: npx troxy init --key txy-...  to connect this machine.\n');
+  process.exit(1);
+}
+
+function loadConfig() {
+  const p = path.join(os.homedir(), '.troxy', 'config.json');
+  try { return JSON.parse(fs.readFileSync(p, 'utf8')); } catch { return null; }
+}
+
 /** Interactive magic-link login flow. */
 export async function runLogin({ email } = {}) {
   if (!email) {

package/src/cards.js

@@ -1,30 +1,34 @@
-import { api }        from './api.js';
-import { requireJwt } from './auth.js';
-import { table } from './print.js';
+import { api }               from './api.js';
+import { requireJwt, requireKey } from './auth.js';
+import { table }             from './print.js';
 
 export async function runCards([sub, ...args], flags) {
+  // list is read-only — works with API key
+  if (!sub || sub === 'list') {
+    const apiKey = requireKey(flags);
+    const data   = await api.agentCards(apiKey);
+    const cards  = data?.cards || [];
+    if (!cards.length) { console.log('\n  No cards yet.\n'); return; }
+    console.log();
+    table(
+      ['Name', 'Last 4', 'Status', 'Budget', 'Used', 'Remaining', 'Default Action'],
+      cards.map(c => [
+        c.name,
+        c.last_four ? `···${c.last_four}` : '—',
+        c.status,
+        c.monthly_budget ? `$${c.monthly_budget}` : 'no limit',
+        `$${Number(c.budget_used || 0).toFixed(2)}`,
+        c.budget_remaining != null ? `$${Number(c.budget_remaining).toFixed(2)}` : '—',
+        c.default_action || 'ALLOW',
+      ]),
+    );
+    return;
+  }
+
+  // Write operations need JWT
   const jwt = requireJwt();
 
   switch (sub) {
-    case 'list':
-    case undefined: {
-      const data = await api.listCards(jwt);
-      const cards = data?.cards || [];
-      if (!cards.length) { console.log('\n  No cards yet.\n'); return; }
-      console.log();
-      table(
-        ['Name', 'Last 4', 'Status', 'Budget', 'Used'],
-        cards.map(c => [
-          c.name,
-          c.last4 ? `···${c.last4}` : '—',
-          c.status,
-          c.budget ? `$${c.budget}` : 'no limit',
-          `$${Number(c.budget_used || 0).toFixed(2)}`,
-        ]),
-      );
-      break;
-    }
-
     case 'create': {
       const name = flags.name;
       if (!name) { console.error('  --name is required\n'); process.exit(1); }
@@ -44,8 +48,7 @@ export async function runCards([sub, ...args], flags) {
       const name = flags.name;
       if (!name) { console.error('  --name is required\n'); process.exit(1); }
       const data = await api.listCards(jwt);
-      const cards = data?.cards || [];
-      const card  = cards.find(c => c.name === name);
+      const card = (data?.cards || []).find(c => c.name === name);
       if (!card) { console.error(`  Card "${name}" not found\n`); process.exit(1); }
       await api.deleteCard(jwt, card.id);
       console.log(`\n  Card "${name}" deleted ✓\n`);
@@ -54,7 +57,7 @@ export async function runCards([sub, ...args], flags) {
 
     default:
       console.error(`  Unknown subcommand: ${sub}`);
-      console.error('  Usage: npx troxy cards [list|create|delete]\n');
+      console.error('  Usage: troxy cards [list|create|delete]\n');
       process.exit(1);
   }
 }

package/src/mcps.js

@@ -0,0 +1,35 @@
+import { api }       from './api.js';
+import { loadConfig } from './config.js';
+import { requireKey } from './auth.js';
+import { table }      from './print.js';
+
+export async function runMcps([sub], flags) {
+  const apiKey = requireKey(flags);
+
+  switch (sub || 'list') {
+    case 'list': {
+      const data = await api.agentMcps(apiKey);
+      const mcps = data?.mcps || [];
+      if (!mcps.length) { console.log('\n  No MCP connections yet.\n'); return; }
+      console.log();
+      table(
+        ['Name', 'Prefix', 'Status', 'Last Seen', 'Policies', 'Default Action', 'Me'],
+        mcps.map(m => [
+          m.name,
+          m.token_prefix,
+          m.connected ? '● connected' : '○ offline',
+          m.last_seen,
+          m.policies_assigned,
+          m.default_action,
+          m.is_me ? '← you' : '',
+        ]),
+      );
+      break;
+    }
+
+    default:
+      console.error(`  Unknown subcommand: ${sub}`);
+      console.error('  Usage: troxy mcps [list]\n');
+      process.exit(1);
+  }
+}

package/src/policies.js

@@ -1,30 +1,70 @@
-import { api }        from './api.js';
-import { requireJwt } from './auth.js';
-import { table }      from './print.js';
+import { api }               from './api.js';
+import { requireJwt, requireKey } from './auth.js';
+import { table }             from './print.js';
+
+const DECISION_ICON = { ALLOW: '✓', BLOCK: '✗', ESCALATE: '⏳', NOTIFY: '~', TIERED: '⊕' };
+
+function _scope(p) {
+  if (p.global !== false) return 'all MCPs';
+  if (p.mcps && p.mcps.length > 0) return p.mcps.map(m => m.name || m.token_prefix || 'MCP').join(', ');
+  return 'no MCPs applied';
+}
 
 export async function runPolicies([sub, ...args], flags) {
-  const jwt = requireJwt();
+  // Read-only subcommands work with just an API key
+  const readOnly = !sub || sub === 'list' || sub === 'describe';
 
-  switch (sub) {
-    case 'list':
-    case undefined: {
-      const data = await api.listPolicies(jwt);
-      const policies = data?.policies || [];
-      if (!policies.length) { console.log('\n  No policies yet.\n'); return; }
-      console.log();
-      table(
-        ['Name', 'Action', 'Priority', 'Status', 'Conditions'],
-        policies.map(p => [
-          p.name,
-          p.action,
-          p.priority,
-          p.enabled ? 'enabled' : 'disabled',
-          Array.isArray(p.conditions) ? `${p.conditions.length} condition(s)` : '—',
-        ]),
-      );
-      break;
+  if (readOnly) {
+    const apiKey = requireKey(flags);
+    switch (sub || 'list') {
+      case 'list': {
+        const data = await api.agentPolicies(apiKey);
+        const policies = data?.policies || [];
+        if (!policies.length) { console.log('\n  No policies yet.\n'); return; }
+        console.log();
+        table(
+          ['#', 'Name', 'Action', 'Scope', 'Status', 'Conditions', 'Applies to me'],
+          policies.map(p => [
+            p.priority,
+            p.name,
+            p.action,
+            _scope(p),
+            p.enabled ? 'enabled' : 'disabled',
+            _condSummary(p),
+            p.applies_to_me ? '✓' : '—',
+          ]),
+        );
+        break;
+      }
+
+      case 'describe': {
+        const name = flags.name;
+        if (!name) { console.error('  --name is required\n'); process.exit(1); }
+        const data = await api.agentPolicies(apiKey);
+        const p = (data?.policies || []).find(x => x.name.toLowerCase() === name.toLowerCase());
+        if (!p) { console.error(`  Policy "${name}" not found\n`); process.exit(1); }
+
+        console.log(`
+  Name:          ${p.name}
+  Action:        ${p.action}
+  Priority:      ${p.priority}
+  Status:        ${p.enabled ? 'enabled' : 'disabled'}
+  Scope:         ${p.scope}
+  Applies here:  ${p.applies_to_me ? 'yes' : 'no'}
+  MCPs:          ${p.mcps.length ? p.mcps.map(m => m.name).join(', ') : p.global ? 'all MCPs' : 'none'}
+  Conditions:    ${_condDetail(p)}
+  Created:       ${new Date(p.created_at).toLocaleDateString()}
+`);
+        break;
+      }
     }
+    return;
+  }
 
+  // Write subcommands need JWT
+  const jwt = requireJwt();
+
+  switch (sub) {
     case 'create': {
       const name   = flags.name;
       const action = (flags.action || '').toUpperCase();
@@ -34,8 +74,6 @@ export async function runPolicies([sub, ...args], flags) {
         console.error('  --action must be ALLOW, BLOCK, ESCALATE, or NOTIFY\n');
         process.exit(1);
       }
-
-      // Build a single condition if --field/--operator/--value are provided
       const conditions = [];
       if (flags.field) {
         if (!flags.operator) { console.error('  --operator is required with --field\n'); process.exit(1); }
@@ -44,16 +82,7 @@ export async function runPolicies([sub, ...args], flags) {
         if (flags.value2) cond.value2 = flags.value2;
         conditions.push(cond);
       }
-
-      const body = {
-        name,
-        action,
-        conditions,
-        conditions_logic: (flags.logic || 'AND').toUpperCase(),
-        enabled: true,
-      };
-
-      const policy = await api.createPolicy(jwt, body);
+      const policy = await api.createPolicy(jwt, { name, action, conditions, enabled: true });
       console.log(`\n  Policy "${policy.name}" created ✓  (priority: ${policy.priority})\n`);
       break;
     }
@@ -62,7 +91,7 @@ export async function runPolicies([sub, ...args], flags) {
       const name = flags.name;
       if (!name) { console.error('  --name is required\n'); process.exit(1); }
       const { policies = [] } = await api.listPolicies(jwt);
-      const policy   = policies.find(p => p.name === name);
+      const policy = policies.find(p => p.name === name);
       if (!policy) { console.error(`  Policy "${name}" not found\n`); process.exit(1); }
       await api.deletePolicy(jwt, policy.id);
       console.log(`\n  Policy "${name}" deleted ✓\n`);
@@ -71,10 +100,10 @@ export async function runPolicies([sub, ...args], flags) {
 
     case 'enable':
     case 'disable': {
-      const name    = flags.name;
+      const name = flags.name;
       if (!name) { console.error('  --name is required\n'); process.exit(1); }
       const { policies = [] } = await api.listPolicies(jwt);
-      const policy   = policies.find(p => p.name === name);
+      const policy = policies.find(p => p.name === name);
       if (!policy) { console.error(`  Policy "${name}" not found\n`); process.exit(1); }
       await api.updatePolicy(jwt, policy.id, { enabled: sub === 'enable' });
       console.log(`\n  Policy "${name}" ${sub}d ✓\n`);
@@ -83,7 +112,21 @@ export async function runPolicies([sub, ...args], flags) {
 
     default:
       console.error(`  Unknown subcommand: ${sub}`);
-      console.error('  Usage: npx troxy policies [list|create|delete|enable|disable]\n');
+      console.error('  Usage: troxy policies [list|describe|create|delete|enable|disable]\n');
       process.exit(1);
   }
 }
+
+function _condSummary(p) {
+  const c = p.conditions || [];
+  const o = p.or_conditions || [];
+  const total = c.length + o.length;
+  if (total === 0) return 'always';
+  return `${total} condition${total > 1 ? 's' : ''}`;
+}
+
+function _condDetail(p) {
+  const c = p.conditions || [];
+  if (!c.length) return 'none (always matches)';
+  return c.map(x => `${x.field} ${x.operator} ${x.value || ''}${x.value2 ? '–'+x.value2 : ''}`).join(' AND ');
+}